Index: lib/libc/net/getaddrinfo.c
diff -c lib/libc/net/getaddrinfo.c:1.9.2.9 lib/libc/net/getaddrinfo.c:1.9.2.11
*** lib/libc/net/getaddrinfo.c:1.9.2.9	Sun Mar  3 12:45:30 2002
--- lib/libc/net/getaddrinfo.c	Sun Sep 22 07:20:23 2002
***************
*** 182,192 ****
  #define	PTON_MAX	4
  #endif
  
! #if PACKETSZ > 1024
! #define MAXPACKET	PACKETSZ
! #else
! #define MAXPACKET	1024
! #endif
  
  typedef union {
  	HEADER hdr;
--- 182,188 ----
  #define	PTON_MAX	4
  #endif
  
! #define MAXPACKET	(64*1024)
  
  typedef union {
  	HEADER hdr;
***************
*** 1407,1413 ****
  	struct addrinfo **res;
  {
  	struct addrinfo *ai;
! 	querybuf buf, buf2;
  	const char *name;
  	struct addrinfo sentinel, *cur;
  	struct res_target q, q2;
--- 1403,1409 ----
  	struct addrinfo **res;
  {
  	struct addrinfo *ai;
! 	querybuf *buf, *buf2;
  	const char *name;
  	struct addrinfo sentinel, *cur;
  	struct res_target q, q2;
***************
*** 1417,1463 ****
  	memset(&sentinel, 0, sizeof(sentinel));
  	cur = &sentinel;
  
  	switch (pai->ai_family) {
  	case AF_UNSPEC:
  		/* prefer IPv6 */
  		q.qclass = C_IN;
  		q.qtype = T_AAAA;
! 		q.answer = buf.buf;
! 		q.anslen = sizeof(buf);
  		q.next = &q2;
  		q2.qclass = C_IN;
  		q2.qtype = T_A;
! 		q2.answer = buf2.buf;
! 		q2.anslen = sizeof(buf2);
  		break;
  	case AF_INET:
  		q.qclass = C_IN;
  		q.qtype = T_A;
! 		q.answer = buf.buf;
! 		q.anslen = sizeof(buf);
  		break;
  	case AF_INET6:
  		q.qclass = C_IN;
  		q.qtype = T_AAAA;
! 		q.answer = buf.buf;
! 		q.anslen = sizeof(buf);
  		break;
  	default:
  		return EAI_FAIL;
  	}
! 	if (res_searchN(hostname, &q) < 0)
  		return EAI_NODATA;
! 	ai = getanswer(&buf, q.n, q.name, q.qtype, pai);
  	if (ai) {
  		cur->ai_next = ai;
  		while (cur && cur->ai_next)
  			cur = cur->ai_next;
  	}
  	if (q.next) {
! 		ai = getanswer(&buf2, q2.n, q2.name, q2.qtype, pai);
  		if (ai)
  			cur->ai_next = ai;
  	}
  	if (sentinel.ai_next == NULL)
  		switch (h_errno) {
  		case HOST_NOT_FOUND:
--- 1413,1478 ----
  	memset(&sentinel, 0, sizeof(sentinel));
  	cur = &sentinel;
  
+ 	buf = malloc(sizeof(*buf));
+ 	if (!buf) {
+ 		h_errno = NETDB_INTERNAL;
+ 		return EAI_MEMORY;
+ 	}
+ 	buf2 = malloc(sizeof(*buf2));
+ 	if (!buf2) {
+ 		free(buf);
+ 		h_errno = NETDB_INTERNAL;
+ 		return EAI_MEMORY;
+ 	}
+ 
  	switch (pai->ai_family) {
  	case AF_UNSPEC:
  		/* prefer IPv6 */
  		q.qclass = C_IN;
  		q.qtype = T_AAAA;
! 		q.answer = buf->buf;
! 		q.anslen = sizeof(buf->buf);
  		q.next = &q2;
  		q2.qclass = C_IN;
  		q2.qtype = T_A;
! 		q2.answer = buf2->buf;
! 		q2.anslen = sizeof(buf2->buf);
  		break;
  	case AF_INET:
  		q.qclass = C_IN;
  		q.qtype = T_A;
! 		q.answer = buf->buf;
! 		q.anslen = sizeof(buf->buf);
  		break;
  	case AF_INET6:
  		q.qclass = C_IN;
  		q.qtype = T_AAAA;
! 		q.answer = buf->buf;
! 		q.anslen = sizeof(buf->buf);
  		break;
  	default:
+ 		free(buf);
+ 		free(buf2);
  		return EAI_FAIL;
  	}
! 	if (res_searchN(hostname, &q) < 0) {
! 		free(buf);
! 		free(buf2);
  		return EAI_NODATA;
! 	}
! 	ai = getanswer(buf, q.n, q.name, q.qtype, pai);
  	if (ai) {
  		cur->ai_next = ai;
  		while (cur && cur->ai_next)
  			cur = cur->ai_next;
  	}
  	if (q.next) {
! 		ai = getanswer(buf2, q2.n, q2.name, q2.qtype, pai);
  		if (ai)
  			cur->ai_next = ai;
  	}
+ 	free(buf);
+ 	free(buf2);
  	if (sentinel.ai_next == NULL)
  		switch (h_errno) {
  		case HOST_NOT_FOUND:
***************
*** 1662,1668 ****
  	const char *name;	/* domain name */
  	struct res_target *target;
  {
! 	u_char buf[MAXPACKET];
  	HEADER *hp;
  	int n;
  	struct res_target *t;
--- 1677,1683 ----
  	const char *name;	/* domain name */
  	struct res_target *target;
  {
! 	u_char *buf;
  	HEADER *hp;
  	int n;
  	struct res_target *t;
***************
*** 1677,1682 ****
--- 1692,1703 ----
  		return (-1);
  	}
  
+ 	buf = malloc(MAXPACKET);
+ 	if (!buf) {
+ 		h_errno = NETDB_INTERNAL;
+ 		return (-1);
+ 	}
+ 
  	for (t = target; t; t = t->next) {
  		int class, type;
  		u_char *answer;
***************
*** 1696,1709 ****
  #endif
  
  		n = res_mkquery(QUERY, name, class, type, NULL, 0, NULL,
! 		    buf, sizeof(buf));
  		if (n > 0 && (_res.options & RES_USE_EDNS0) != 0)
! 			n = res_opt(n, buf, sizeof(buf), anslen);
  		if (n <= 0) {
  #ifdef DEBUG
  			if (_res.options & RES_DEBUG)
  				printf(";; res_query: mkquery failed\n");
  #endif
  			h_errno = NO_RECOVERY;
  			return (n);
  		}
--- 1717,1731 ----
  #endif
  
  		n = res_mkquery(QUERY, name, class, type, NULL, 0, NULL,
! 		    buf, MAXPACKET);
  		if (n > 0 && (_res.options & RES_USE_EDNS0) != 0)
! 			n = res_opt(n, buf, MAXPACKET, anslen);
  		if (n <= 0) {
  #ifdef DEBUG
  			if (_res.options & RES_DEBUG)
  				printf(";; res_query: mkquery failed\n");
  #endif
+ 			free(buf);
  			h_errno = NO_RECOVERY;
  			return (n);
  		}
***************
*** 1714,1725 ****
  			if (_res.options & RES_DEBUG)
  				printf(";; res_query: send error\n");
  #endif
  			h_errno = TRY_AGAIN;
  			return (n);
  		}
  #endif
  
! 		if (n < 0 || hp->rcode != NOERROR || ntohs(hp->ancount) == 0) {
  			rcode = hp->rcode;	/* record most recent error */
  #ifdef DEBUG
  			if (_res.options & RES_DEBUG)
--- 1736,1750 ----
  			if (_res.options & RES_DEBUG)
  				printf(";; res_query: send error\n");
  #endif
+ 			free(buf);
  			h_errno = TRY_AGAIN;
  			return (n);
  		}
  #endif
  
! 		if (n < 0 || n > anslen)
! 			hp->rcode = FORMERR; /* XXX not very informative */
! 		if (hp->rcode != NOERROR || ntohs(hp->ancount) == 0) {
  			rcode = hp->rcode;	/* record most recent error */
  #ifdef DEBUG
  			if (_res.options & RES_DEBUG)
***************
*** 1733,1738 ****
--- 1758,1765 ----
  
  		t->n = n;
  	}
+ 
+ 	free(buf);
  
  	if (ancount == 0) {
  		switch (rcode) {
Index: lib/libc/net/gethostbydns.c
diff -c lib/libc/net/gethostbydns.c:1.27.2.2 lib/libc/net/gethostbydns.c:1.27.2.3
*** lib/libc/net/gethostbydns.c:1.27.2.2	Wed Jun 26 01:24:29 2002
--- lib/libc/net/gethostbydns.c	Thu Sep 19 08:45:23 2002
***************
*** 584,591 ****
  				break;
  		}
  
! 	if ((n = res_search(name, C_IN, type, buf.buf, sizeof(buf))) < 0) {
  		dprintf("res_search failed (%d)\n", n);
  		return (NULL);
  	}
  	return (gethostanswer(&buf, n, name, type));
--- 584,595 ----
  				break;
  		}
  
! 	n = res_search(name, C_IN, type, buf.buf, sizeof(buf.buf));
! 	if (n < 0) {
  		dprintf("res_search failed (%d)\n", n);
+ 		return (NULL);
+ 	} else if (n > sizeof(buf.buf)) {
+ 		dprintf("static buffer is too small (%d)\n", n);
  		return (NULL);
  	}
  	return (gethostanswer(&buf, n, name, type));
Index: lib/libc/net/getnetbydns.c
diff -c lib/libc/net/getnetbydns.c:1.13.2.2 lib/libc/net/getnetbydns.c:1.13.2.3
*** lib/libc/net/getnetbydns.c:1.13.2.2	Wed Jun 26 01:34:18 2002
--- lib/libc/net/getnetbydns.c	Thu Sep 19 08:45:23 2002
***************
*** 256,262 ****
  	if (anslen < 0) {
  #ifdef DEBUG
  		if (_res.options & RES_DEBUG)
! 			printf("res_query failed\n");
  #endif
  		return (NULL);
  	}
--- 256,268 ----
  	if (anslen < 0) {
  #ifdef DEBUG
  		if (_res.options & RES_DEBUG)
! 			printf("res_search failed\n");
! #endif
! 		return (NULL);
! 	} else if (anslen > sizeof(buf)) {
! #ifdef DEBUG
! 		if (_res.options & RES_DEBUG)
! 			printf("res_search static buffer too small\n");
  #endif
  		return (NULL);
  	}
***************
*** 291,297 ****
  	if (anslen < 0) {
  #ifdef DEBUG
  		if (_res.options & RES_DEBUG)
! 			printf("res_query failed\n");
  #endif
  		return (NULL);
  	}
--- 297,309 ----
  	if (anslen < 0) {
  #ifdef DEBUG
  		if (_res.options & RES_DEBUG)
! 			printf("res_search failed\n");
! #endif
! 		return (NULL);
! 	} else if (anslen > sizeof(buf)) {
! #ifdef DEBUG
! 		if (_res.options & RES_DEBUG)
! 			printf("res_search static buffer too small\n");
  #endif
  		return (NULL);
  	}
Index: lib/libc/net/name6.c
diff -c lib/libc/net/name6.c:1.6.2.6 lib/libc/net/name6.c:1.6.2.7
*** lib/libc/net/name6.c:1.6.2.6	Wed Jun 26 01:06:43 2002
--- lib/libc/net/name6.c	Thu Sep 19 08:45:23 2002
***************
*** 994,1004 ****
          int     rtl_type;
  };
  
! #if PACKETSZ > 1024
! #define	MAXPACKET	PACKETSZ
! #else
! #define	MAXPACKET	1024
! #endif
  
  typedef union {
  	HEADER hdr;
--- 994,1000 ----
          int     rtl_type;
  };
  
! #define	MAXPACKET	(64*1024)
  
  typedef union {
  	HEADER hdr;
***************
*** 1305,1311 ****
  	int trailing_dot, ret, saved_herrno;
  	int got_nodata = 0, got_servfail = 0, tried_as_is = 0;
  	struct __res_type_list *rtl0 = rtl;
! 	querybuf buf;
  
  	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
  		*errp = NETDB_INTERNAL;
--- 1301,1307 ----
  	int trailing_dot, ret, saved_herrno;
  	int got_nodata = 0, got_servfail = 0, tried_as_is = 0;
  	struct __res_type_list *rtl0 = rtl;
! 	querybuf *buf;
  
  	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
  		*errp = NETDB_INTERNAL;
***************
*** 1318,1334 ****
  	if (cp > name && *--cp == '.')
  		trailing_dot++;
  
  	/* If there aren't any dots, it could be a user-level alias */
  	if (!dots && (cp = hostalias(name)) != NULL) {
  		for(rtl = rtl0; rtl != NULL;
  		    rtl = SLIST_NEXT(rtl, rtl_entry)) {
! 			ret = res_query(cp, C_IN, rtl->rtl_type, buf.buf,
! 					     sizeof(buf.buf));
! 			if (ret > 0) {
  				hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  				    ? AF_INET6 : AF_INET;
  				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 				hp = getanswer(&buf, ret, name, rtl->rtl_type,
  						    &hpbuf, errp);
  				if (!hp)
  					continue;
--- 1314,1336 ----
  	if (cp > name && *--cp == '.')
  		trailing_dot++;
  
+ 	buf = malloc(sizeof(*buf));
+ 	if (buf == NULL) {
+ 		*errp = NETDB_INTERNAL;
+ 		return NULL;
+ 	}
+ 
  	/* If there aren't any dots, it could be a user-level alias */
  	if (!dots && (cp = hostalias(name)) != NULL) {
  		for(rtl = rtl0; rtl != NULL;
  		    rtl = SLIST_NEXT(rtl, rtl_entry)) {
! 			ret = res_query(cp, C_IN, rtl->rtl_type, buf->buf,
! 					     sizeof(buf->buf));
! 			if (ret > 0 && ret < sizeof(buf->buf)) {
  				hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  				    ? AF_INET6 : AF_INET;
  				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 				hp = getanswer(buf, ret, name, rtl->rtl_type,
  						    &hpbuf, errp);
  				if (!hp)
  					continue;
***************
*** 1336,1341 ****
--- 1338,1344 ----
  				hp0 = _hpmerge(hp0, hp, errp);
  			}
  		}
+ 		free(buf);
  		return (hp0);
  	}
  
***************
*** 1348,1359 ****
  		for(rtl = rtl0; rtl != NULL;
  		    rtl = SLIST_NEXT(rtl, rtl_entry)) {
  			ret = res_querydomain(name, NULL, C_IN, rtl->rtl_type,
! 					      buf.buf, sizeof(buf.buf));
! 			if (ret > 0) {
  				hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  				    ? AF_INET6 : AF_INET;
  				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 				hp = getanswer(&buf, ret, name, rtl->rtl_type,
  						    &hpbuf, errp);
  				if (!hp)
  					continue;
--- 1351,1362 ----
  		for(rtl = rtl0; rtl != NULL;
  		    rtl = SLIST_NEXT(rtl, rtl_entry)) {
  			ret = res_querydomain(name, NULL, C_IN, rtl->rtl_type,
! 					      buf->buf, sizeof(buf->buf));
! 			if (ret > 0 && ret < sizeof(buf->buf)) {
  				hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  				    ? AF_INET6 : AF_INET;
  				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 				hp = getanswer(buf, ret, name, rtl->rtl_type,
  						    &hpbuf, errp);
  				if (!hp)
  					continue;
***************
*** 1361,1368 ****
  				hp0 = _hpmerge(hp0, hp, errp);
  			}
  		}
! 		if (hp0 != NULL)
  			return (hp0);
  		saved_herrno = *errp;
  		tried_as_is++;
  	}
--- 1364,1373 ----
  				hp0 = _hpmerge(hp0, hp, errp);
  			}
  		}
! 		if (hp0 != NULL) {
! 			free(buf);
  			return (hp0);
+ 		}
  		saved_herrno = *errp;
  		tried_as_is++;
  	}
***************
*** 1385,1396 ****
  			    rtl = SLIST_NEXT(rtl, rtl_entry)) {
  				ret = res_querydomain(name, *domain, C_IN,
  						      rtl->rtl_type,
! 						      buf.buf, sizeof(buf.buf));
! 				if (ret > 0) {
  					hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  					    ? AF_INET6 : AF_INET;
  					hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 					hp = getanswer(&buf, ret, name,
  					    rtl->rtl_type, &hpbuf, errp);
  					if (!hp)
  						continue;
--- 1390,1401 ----
  			    rtl = SLIST_NEXT(rtl, rtl_entry)) {
  				ret = res_querydomain(name, *domain, C_IN,
  						      rtl->rtl_type,
! 						      buf->buf, sizeof(buf->buf));
! 				if (ret > 0 && ret < sizeof(buf->buf)) {
  					hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  					    ? AF_INET6 : AF_INET;
  					hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 					hp = getanswer(buf, ret, name,
  					    rtl->rtl_type, &hpbuf, errp);
  					if (!hp)
  						continue;
***************
*** 1398,1405 ****
  					hp0 = _hpmerge(hp0, hp, errp);
  				}
  			}
! 			if (hp0 != NULL)
  				return (hp0);
  
  			/*
  			 * If no server present, give up.
--- 1403,1412 ----
  					hp0 = _hpmerge(hp0, hp, errp);
  				}
  			}
! 			if (hp0 != NULL) {
! 				free(buf);
  				return (hp0);
+ 			}
  
  			/*
  			 * If no server present, give up.
***************
*** 1415,1420 ****
--- 1422,1428 ----
  			 * fully-qualified.
  			 */
  			if (errno == ECONNREFUSED) {
+ 				free(buf);
  				*errp = TRY_AGAIN;
  				return (NULL);
  			}
***************
*** 1427,1433 ****
  				/* keep trying */
  				break;
  			case TRY_AGAIN:
! 				if (buf.hdr.rcode == SERVFAIL) {
  					/* try next search element, if any */
  					got_servfail++;
  					break;
--- 1435,1441 ----
  				/* keep trying */
  				break;
  			case TRY_AGAIN:
! 				if (buf->hdr.rcode == SERVFAIL) {
  					/* try next search element, if any */
  					got_servfail++;
  					break;
***************
*** 1455,1466 ****
  		for(rtl = rtl0; rtl != NULL;
  		    rtl = SLIST_NEXT(rtl, rtl_entry)) {
  			ret = res_querydomain(name, NULL, C_IN, rtl->rtl_type,
! 					      buf.buf, sizeof(buf.buf));
! 			if (ret > 0) {
  				hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  				    ? AF_INET6 : AF_INET;
  				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 				hp = getanswer(&buf, ret, name, rtl->rtl_type,
  				    &hpbuf, errp);
  				if (!hp)
  					continue;
--- 1463,1474 ----
  		for(rtl = rtl0; rtl != NULL;
  		    rtl = SLIST_NEXT(rtl, rtl_entry)) {
  			ret = res_querydomain(name, NULL, C_IN, rtl->rtl_type,
! 					      buf->buf, sizeof(buf->buf));
! 			if (ret > 0 && ret < sizeof(buf->buf)) {
  				hpbuf.h_addrtype = (rtl->rtl_type == T_AAAA)
  				    ? AF_INET6 : AF_INET;
  				hpbuf.h_length = ADDRLEN(hpbuf.h_addrtype);
! 				hp = getanswer(buf, ret, name, rtl->rtl_type,
  				    &hpbuf, errp);
  				if (!hp)
  					continue;
***************
*** 1468,1477 ****
  				hp0 = _hpmerge(hp0, hp, errp);
  			}
  		}
! 		if (hp0 != NULL)
  			return (hp0);
  	}
  
  	/* if we got here, we didn't satisfy the search.
  	 * if we did an initial full query, return that query's h_errno
  	 * (note that we wouldn't be here if that query had succeeded).
--- 1476,1489 ----
  				hp0 = _hpmerge(hp0, hp, errp);
  			}
  		}
! 		if (hp0 != NULL) {
! 			free(buf);
  			return (hp0);
+ 		}
  	}
  
+ 	free(buf);
+ 
  	/* if we got here, we didn't satisfy the search.
  	 * if we did an initial full query, return that query's h_errno
  	 * (note that we wouldn't be here if that query had succeeded).
***************
*** 1531,1537 ****
  #ifdef INET6
  	static const char hex[] = "0123456789abcdef";
  #endif
! 	querybuf buf;
  	char qbuf[MAXDNAME+1];
  	char *hlist[2];
  
--- 1543,1549 ----
  #ifdef INET6
  	static const char hex[] = "0123456789abcdef";
  #endif
! 	querybuf *buf;
  	char qbuf[MAXDNAME+1];
  	char *hlist[2];
  
***************
*** 1584,1595 ****
  		break;
  	}
  
! 	n = res_query(qbuf, C_IN, T_PTR, buf.buf, sizeof buf.buf);
  	if (n < 0) {
  		*errp = h_errno;
  		return NULL;
  	}
! 	hp = getanswer(&buf, n, qbuf, T_PTR, &hbuf, errp);
  	if (!hp)
  		return NULL;
  	hbuf.h_addrtype = af;
--- 1596,1622 ----
  		break;
  	}
  
! 	buf = malloc(sizeof(*buf));
! 	if (buf == NULL) {
! 		*errp = NETDB_INTERNAL;
! 		return NULL;
! 	}
! 
! 	n = res_query(qbuf, C_IN, T_PTR, buf->buf, sizeof buf->buf);
  	if (n < 0) {
+ 		free(buf);
  		*errp = h_errno;
  		return NULL;
+ 	} else if (n > sizeof(buf->buf)) {
+ 		free(buf);
+ 		*errp = NETDB_INTERNAL;
+ #if 0
+ 		errno = ERANGE; /* XXX is it OK to set errno here? */
+ #endif
+ 		return NULL;
  	}
! 	hp = getanswer(buf, n, qbuf, T_PTR, &hbuf, errp);
! 	free(buf);
  	if (!hp)
  		return NULL;
  	hbuf.h_addrtype = af;
Index: lib/libc/net/res_mkquery.c
diff -c lib/libc/net/res_mkquery.c:1.15.2.1 lib/libc/net/res_mkquery.c:1.15.2.2
*** lib/libc/net/res_mkquery.c:1.15.2.1	Fri Jun 15 17:08:28 2001
--- lib/libc/net/res_mkquery.c	Fri Sep 20 05:45:35 2002
***************
*** 228,233 ****
--- 228,235 ----
  
  	__putshort(T_OPT, cp);	/* TYPE */
  	cp += INT16SZ;
+ 	if (anslen > 0xffff)
+ 		anslen = 0xffff;		/* limit to 16bit value */
  	__putshort(anslen & 0xffff, cp);	/* CLASS = UDP payload size */
  	cp += INT16SZ;
  	*cp++ = NOERROR;	/* extended RCODE */
